<!-- @(#) $Id: authpsa_rules.xml,v 0.1 $ - Author: Brent Meshier - brent@meshier.com --> <var name="AUTHPSA_FREQ">6</var> <group name="syslog,authpsa,"> <rule id="4600" level="0" noalert="1"> <decoded_as>authpsa</decoded_as> <description>Grouping of the authpsa rules.</description> </rule> <rule id="4601" level="5"> <if_sid>4600</if_sid> <match>authpsa: checkmailpasswd: FAILED</match> <description>authpsa user login failed.</description> <group>authentication_failed,</group> </rule> <rule id="4651" level="10" frequency="$AUTHPSA_FREQ" timeframe="900"> <if_matched_sid>4601</if_matched_sid> <same_source_ip /> <description>Multiple failed logins from same source ip.</description> <group>authentication_failures,</group> </rule> </group>